AO-All  1  604  STANFORD  UNIV  CA  D€PT  OF  COMPUTER  SCIENCE  F/G  9/2 

VERIFICATION  OF  SEOUENTIAL  PROGRAMS:  TEMPORAL  AXIOMATIZATXON* (U) 

SEP  61  Z  MANNA  N00019-76-C-0687 

UNCLASSIFIED  STAN-CS-61-677  NL 


MICROCOPY  RESOLUTION  TEST  CHART 


ADA  11  J  804 


September  1981 


Report.  No.  STAN-CS-81-871 


Verification  of  Sequential  Programs: 
Temporal  Axiomatization 


by 


Zohar  Manna 


Department  of  Computer  Science 

Stanford  University 
Stanford,  CA  94305 


I 


ur\c 


1982 


H 


r 


VERIFICATION  OF  SEQUENTIAL  PROGRAMS: 
TEMPORAL  AXIOMATIZATION 


ZOJIAlt  MANNA 

Computer  Science  Dept.  Applied  Mathematics  Dept. 

Stanford  University  The  Weizmann  Institute 

Stanford,  CA  Rchovot,  Israel 


Abstract 

This  is  one  in  a  scries  of  reports  describing  the  application  of  temporal  logic  to  the  specification 
and  verification  of  computer  programs.^.  .  ■  "  ' 

y\w  earlier  reports,  vrf  introduced  temporal  logic  as  a  tool  for  reasoning  about  concurrent 
programs  and  specifying  their  properties  [MPJ]  and  presented  proof  principles  for  establishing 
these  properties  ([MP2])/-  Here,  we  restrict  ourselves  to  deterministic,  sequential  programs.  Wc 
present  H  proof  system  in  which  properties  of  such  programs,  expressed  as  temporal  formulas,  can 
be  proved  formally. 

Our  proof  system  consists  of  three  parts:  a  general  part  elaborating  the  properties  of  temporal 
logic,  a  domain  part  giving  an  axiomatic  description  of  the  data  domain,  and  a  program  part  giving 
an  axiomatic  description  of  the  program  under  cc-  ..idcration. 

.  •  ’’j  Ufrt.tr/-  ihru-vk  the  '' 

We  illustrate  JJie  use  of  the  proof  system  by  giving  two  alternative  formal  proofs  of  the  total 
correctness  of  a  simple  program. 
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1.  INTRODUCTION 


Temporal  logic  is  a  modal  logic  in  which  we  impose  special  restrictions  on  the  models  of 
interpretation  ([IMtl],  [RUjjjl’NUj.jGPSS],  [M1M]).  A  um'uerae  for  temporal  logic  consists  of  a 
collection  of  states  (worlds).  A  state  s'  is  accessible  from  a  state  s  if  through  development  in  time, 
s  can  change  into  s'.  We  concentrate  on  histories  or  development  which  are  linear  and  discrete. 
Thus,  the  models  of  temporal  logic  consist  of  cj-scquenccs,  i.e.,  infinite  sequences  of  the  form  a  — 
so,  »i,  ....  In  such  a  sequence,  Sj  is  accessible  from  s,  if  i  <  j.  On  these  states  we  define  an 
immediate  accessibility  relation  p  which  is  required  to  be  a  function.  That  means  that  every  state  s 
has  exactly  one  other  state  s'  such  that  p(s,  s').  This  corresponds  to  our  intuition  that  in  a  discrete 
time  model  each  instant  has  exactly  one  immediate  successor,  the  transitive  reflexive  closure  of  p, 
H  =  p* ,  is  the  accessibility  relation;  intuitively,  R(s,  s')  holds  when  s'  is  either  identical  to  s  or 
lies  in  the  future  of  s. 

We  first  describe  the  temporal  language  we  are  going  to  use.  This  language  is  designed  specially 
for  the  application  we  have  in  mind,  namely  reasoning  about  programs,  and  is  not  necessarily  the 
most  general  temporal  language  possible. 

The  language  uses  a  set  of  basic  symbols  consisting  of  individual  variables  and  constants,  and 
proposition,  function  and  predicate  symbols.  The  set  is  partitioned  into  two  subsets:  global  and 
local  symbols.  The  global  symbols  have  a  uniform  interpretation  over  the  complete  universe  and 
do  not  change  their  values  or  meanings  from  one  state  to  another.  The  local  symbols,  on  the 
other  hand,  may  assume  different  meanings  and  values  in  different  states  of  the  universe.  For  our 
purpose,  the  only  local  symbols  that  interest  us  are  local  individual  variables.  We  will  have  global 
symbols  of  all  types. 

We  use  the  regular  set  of  boolean  connectives:  A,  V,  D,  =,  and  ~  together  with  the  equality 
operator  =  and  the  first-order  quantifiers  V  and  3.  This  set  is  referred  to  as  the  classical  operators. 
The  quantifiers  V  and  3  arc  applied  only  to  global  individual  variables. 

The  modal  operators  used  are:  □,  O,  O,  and  ll,  which  are  called  respectively  the  always, 
sometime,  next  and  until  operators.  The  first  three  operators  are  unary  while  the  U  operator  is 
binary.  We  use  the  next  operator  O  in  two  different  ways  -  as  a  temporal  operator  applied  to 
formulas  and  as  a  temporal  operator  applied  to  terms. 

A  model  (I,  a,  o)  for  our  language  consists  of  a  (global)  interpretation  f,  a  (global)  assignment 
a  and  a  sequence  of  states  a. 

•  The  interpretation  I  specifies  a  nonempty  domain  D  and  assigns  concrete  e'ements, 

functions  and  predicates  to  the  (global)  individual  constants,  function  .  c’icate 

symbols. 

•  The  assignment  a  assigns  a  value  over  the  appropriate  domain  to  each  of  the  global  free 

individual  variables. 

•  The  sequence  a  —  s0,  »i,  ...  is  an  infinite  sequence  of  states.  Each  state  s,  assigns  values 

to  the  local  free  individual  variables  and  propositions. 

For  a  sequence 

<7  =  •  •  • 
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we  denote  by 


ffW  =  8„8,+l,  ... 

the  t- truncated  suffix  of  a. 

Given  a  temporal  formula  w,  we  present  below  an  inductive  definition  of  the  truth  value  of  w 
in  a  model  (I,  a,  a).  The  value  of  a  subformula  or  term  r  under  (/,  a,  a)  is  denoted  by  r|?  ,  I  being 
implicitly  assumed. 


Consider  first  the  evaluation  of  terms: 

•  For  a  local  individual  variable  or  local  proposition  y : 

via  ~  V‘o> 

i.e.,  the  value  assigned  to  y  in  so,  the  first  state  of  a. 

•  For  a  global  individual  variable  or  global  proposition  u: 

=  «M> 

i.e.,  the  value  assigned  to  u  by  a. 

•  For  an  individual  constant  the  evaluation  is  given  by  I: 

c|?  =  J|e). 

•  For  a  k- ary  function  /: 

/(*.,  ...,<*)!?»  Wil? . 

i.e.,  the  value  is  given  by  the  application  of  the  interpreted  function  I[f  \  to  the  values 
of  fi,  . . .  ,<fc  evaluated  in  the  environment  (/,  a,  a). 

•  For  a  term  t: 


0*1?  =0)> 


i.e.,  the  value  of  O  t  in  a  =■  80,  «i,  ...  is  given  by  the  value  of  l  in  the  shifted  sequence 

ffO)  —  - 


Consider  now  the  evaluation  of  formulas: 
•  For  a  k- ary  predicate  p  (including  equality): 


MS)- 
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Here  again,  we  evaluate  the  arguments  in  the  environment  and  then  test  /(p J  on  them. 
For  a  disjunction: 

(ti>i  V  to 2)|“  —  true  iff  u>t|£  =  true  or  io2|£  =  true. 

For  a  negation: 

(~u>)|“  =  true  iff  to|“  =  false. 


For  a  next-time  application: 

O  w\ff  = 

Thus  Ow  means:  w  will  be  true  in  the  next  instant  read  “next  w". 

For  an  all-times  application: 

□  ie|“  =  true  iff  Tor  every  k  >  0,  to|^(fc)  =  true, 

i.e.,  w  is  true  for  all  suffix  sequences  of  a.  Thus  □  «/  means:  w  is  true  for  all  future 
instants  (including  the  present)  -  read  “always  to”  or  “henceforth  w". 

For  a  some-time  application: 

Otu|“  =  true  iff  there  exists  a  k  >  0  such  that  to|^(jt)  =  true, 

i.e.,  to  is  true  on  at  least  one  suffix  of  a.  Thus  Ov>  means:  to  will  be  true  for  some 
future  instant  (possibly  the  present)  -  read  “sometimes  w”  or  “eventually  w". 

For  an  until  application: 

w\Uv>2\%  =  true  iff  for  some  k  >  0,  u/2|^(fc)  =  true  and 
for  all  i,  0  <  t  <  k,  t«i|*(»)  =  true. 

Thus  W[Uw2  means:  there  is  a  future  instant  in  which  to2  holds,  and  such  that  until 

U.  ,♦  ino'nnt  i..  |  «...  „  »/(»/■»  wl  innocU 

lal  liiLib/lil  v  Us  |  buiiwtiuOuui  ^  tiviuo  i  CuU  W  j  Us  ^ 

For  a  universal  quantification: 

(Vu.to)|“  =  true  iff  for  every  dd.  D,  w\°  =  true, 

where  fir'  =  a  o  |u  «-  d]  is  the  assignment  obtained  from  a  by  assigning  d  to  u. 

For  an  existential  quantification: 

(3u.to)|®  =  true  iff  for  some  d  €  D,  u;|“  =  true, 


where  a'  =  ao[ut-  dj. 


A  formula  w  is  valid  if  it  is  true  in  every  model  (/,  a,  a). 


Having  defined  valid  formulas,  we  naturally  look  for  a  deductive  system.  In  such  a  system 
we  take  some  of  the  valid  formulas  as  basic  axioms  and  provide  a  set  of  sound  inference  rules  by 
which  we  hope  to  be  able  to  prove  the  other  valid  formulas  as  theorems.  In  order  to  denote  the 
fact  that  a  formula  w  is  a  theorem  derivable  in  our  deductive  system  we  will  write  h  w.  This  will 
be  the  case  if  w  is  an  axiom  or  is  derivable  from  the  axioms  by  a  proof  using  the  inference  rules  of 
the  system. 


We  partition  our  deductive  system  into  a  general  part  dealing  with  the  general  temporal 
properties  of  discrete  linear  sequences,  a  domain  part  which  gives  an  axiomatic  description  of  the 
necessary  knowledge  about  the  domain,  and  a  program  part  which  gives  an  axiomatic  description 
of  a  particular  program. 


We  start  with  the  general  part,  describing  first  the  axiomatic  system  for  propositional  temporal 
logic  in  which  we  do  not  admit  predicates  or  quantification.  We  treat  first  the  “classical”  modal 
operators  □  and  O  (the  modal  system),  and  later  add  the  special  operators  O  and  U  (the  temporal 

system). 

2.  THE  O  (“ALWAYS”)  AND  O  (“SOMETIME”)  OPERATORS 


Axioms: 


Axiom  A1  defines  O  as  the  dual  of  □;  it  states  that  at  all  times  w  is  false  iff  it  is  not  the  case 
that  sometime  w  holds.  Axiom  A 2  states  that  if  universally  uq  implies  uig  then  if  at  all  times  W| 
is  true  then  so  is  w 2.  Axiom  A3  establishes  the  present  as  part  of  the  future  by  stating  that  if  w 
is  true  at  all  future  times  it  must  be  true  of  the  present.  Axiom  A\  states  that  if  w  holds  in  the 
future,  it  holds  in  the  future  of  the  future. 


Inference  rules: 


<» 


721.  If  w  is  an  instance  of  a  propositional  tautology  then  I-  w 

[Propositional  Tautology  -  PT) 


722.  If  b  wi  D  u>2  and  b  toj  then  I-  u/2 

( Modus  Ponens  -  MP) 


723.  If  b  w  then  b  Ow 


(□  Insertion  -  Of) 


All  these  rules  are  sound.  The  soundness  of  III  and  722  is  obvious.  Note  that  in  721  we  also  include 
modal  instances  of  tautologies;  we  may  substitute  an  arbitrary  modal  formula  for  a  proposition 
letter  in  obtaining  an  instance.  For  example  □  w  D  □  w  is  a  modal  instance  of  the  tautology  p  D  p. 
To  justify  723,  wc  recall  that  validity  of  w  means  that  w  is  true  in  all  models,  hence  Dw  is  also 
valid. 

This  system  provides  a  logical  basis  for  “propositional”  modal  reasoning.  In  Modal  Logic 
circles,  this  system  is  known  as  54  (sec,  e.g.,  (HCJ).  This  system  constrains  72  to  be  reflexive  (A3) 
and  transitive  (A4). 

Before  demonstrating  some  theorems  that  can  be  proved  in  this  system,  we  develop  several 
useful  derived  rules: 


Propositional  Reasoning  —  PR 

t  (a/i  AttjA  ...  A  wn)  D  w 
1-  w\,  b  tx>2,  . . . ,  and  b  wn 

b  w 


The  notation  above  is  used  to  describe  inference  rules.  It  has  the  general  form 

b  <Plt  b  .  .  .  ,  b 
b  ip 

and  means  that  if  we  have  already  proved  <p1(  . . .  ,<pm  (the  assumptions  of  the  rule),  we  are  allowed 
by  this  rule  to  infer  ip  (the  conclusion  of  the  rule). 

proof: 

The  rule  follows  from  the  propositional  tautology  (Rule  721) 

h  [(wi  A  i»2  A  ...  A  u»n)  3  H  D  D  (t03  D  ( . . .  ( wn  Du/)...))] 
by  applying  MP  (Rule  722)  n  +  1  times.  | 

Whenever  we  apply  this  derived  rule  without  indicating  the  antecedent 
b  (u/i  A  u>2  •  •  •  A  u/n)  D  w, 
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it  means  that  this  formula  is  simply  an  instance  of  a  propositional  tautology. 


proof  of  (a): 

1.  h  1B|  3  102 

2.  h  D(w1  3  wz) 

3.  I-  Cl(tOi  3  Wz)  3  (□  Wi  3  Du^) 

4.  H  Owi  3  □  102 

Rule  (b)  then  follows  by  propositional  reasoning,  since 
[(t»l  3  Wz)  A  (t02  3  W  i  )J  =  (tOi  =  Wz) 
is  a  tautology.  | 


proof  of  (a): 

1.  H  wi  3  Wz 

2.  h  ~w2  3  — 

3.  h  □ — Wz  3  □  ~10( 

4.  I-  ~  O  wz  3  ~  O  W\ 

5.  h  Oltf|  3  Olffj 

Rule  (b)  then  follows  by  propositional  reasoning.  | 


given 
by  PR 
by  □□ 
by  A1  and  PR 
by  PR 


given 
by  □/ 
by  A  2 
by  2,  3,  and  MP 


proof. 

By  induction  on  the  structure  of  w. 


Case:  w  is  v\.  Then  w'  is  v<i  and  h  v\  =  implies  h  w  =  w'. 


Case:  w  is  of  the  form  ~u.  We  assume  that  h  i>i  =  t>a  implies  h  «  =  v!  .  Then  by 
propositional  reasoning  h  =  — «' ,  i.e.,  1-  w  =  w' . 

Case:  w  is  of  the  form  ui  V  «2-  We  assume  that  if  I-  t>i  =  v%  ,  then  t-  uj  =  u\  and 
h  U2  =  «2  .  Then  by  propositional  reasoning  1-  («i  V  1*2)  =  K  V  1*2)  >  *•«•»  l~  w  =  w'. 

The  cases  where  w  is  of  form  «i  D«2i  etc.  are  similar. 

Case:  w  is  of  the  form  Ou.  We  assume  that  if  I-  vx  =  t>2  ,  then  (-«  =  «'.  By  the  DD-rule, 
h  □«=□«',  i.e.,  I -  w  =  w'  . 

The  case  in  which  w  is  of  the  form  Ou  is  treated  similarly,  using  the  O  O-rule.  | 

Some  theorems  that  can  be  derived  in  the  system  are: 

Tt.  h  to  3  O  w 
proof. 

1.  h  (□  ~to)  3  ~vj  by  A3 

2.  1-  w  3  ( — □  ~w/)  by  PR 

3.  1-  to  3  Ow  by  A1  and  PR 

The  theorem  implies  (by  M P) 


O  Insertion  -  O  l 

h  to 

h  O  w 

We  can  derive  the  converse  of  axiom  A4  as  stated  in  the  modal  system,  and  thus  prove: 


□  to 

— 

□  □  to 

1. 

1- 

□  w  3  ODw 

by  A4 

2. 

h 

□  to  3  w 

by  A3 

3. 

h 

□  □  to  3  □  to 

by  □□ 

4. 

h 

□  w  =  □  □  to 

by  1,3,  and  PR 

T3.  h  Omi  =  OOw 
proof: 


1.  I-  □  ~to  =  □□ — w 


bv  T2 


2.  h  - —  □  ~tt)  = 

3.  I-  O  w  =  —  □  —  O  w 

4.  t-  On  =  O  O 


by  PR 
by  At  and  ER 
by  Al  and  PR 


Because  of  these  last  two  theorems  we  can  collapse  any  string  of  consecutive  identical  modalities 
such  as  □  •••  □  or  O  —  O  into  a  single  modality  of  the  same  type. 

Note  that  to  derive  line  3  from  line  2  we  could  not  use  propositional  reasoning  {PR),  but  we 
had  to  use  the  equivalence  rule  (ER).  The  subformula  □  ~  w  in 

2.  (- 

was  replaced  by  the  equivalent  subformula  ~  Ow  to  obtain 

3.  h  ...  =  ~  □  ~  Ow. 

But  this  replacement  is  inside  □  and  thus  cannot  be  justified  by  propositional  reasoning.  The  re¬ 
placement  done  on  the  left-hand  side  of  the  equivalence  can  be  justified  by  propositional  reasoning. 

T4.  h  (0~w)  =  □  w) 

proof: 

1.  h  ( — •~U>)  =  W 

2.  I-  (□~~w)  =  □«; 

3.  h  ( — O — w)  ~ 

4.  h  (O — w)  =  (~  diu) 

Tb.  h  D(mi  3  W2 )  3  (O  w\  3  Oidj) 
proof. 

1.  h  (w i  3  W2)  =  ( — w?  3  ~ioi) 

2.  h  □(idi  D  W2)  =  □( — W 2  3  ~U/i) 

3.  h  □(  —  U>2  3  ~tfli)  3  (□  ~W2  3  □~U»i) 

4.  h  (Cl  ~IU2  3  Q  ~10j)  =  (~  O  W2  3  ~  O  W 1) 

5.  h  ( —  Ol»2  3  ~OtUi)  =  (Otti  3  O  W2) 

6.  H  n(wi  3  «':)  3  (Ov.':  3  OU12) 

T6.  h  □(tei  A  W2)  =  (CltviAClwa) 
proof. 


1.  t-  (u?i  A  W2)  3  tuj  by  PT 

2.  I-  IH(u;iAu>2)  3  duii  by  □□ 

3.  I-  (twi  A  W2)  3  tug  by  PT 

4.  I-  □(i«i  Afflj)  3  Dui]  by  □□ 

5.  I-  □(u>iA‘u>2)  3  (Diiii  ADuij)  by  2,  4,  and  PR 


8.  h  wi  3  (t^2  3  iwi  A  W2) 


by  PT 
by  □□ 
by  A2 
by  At  and  PR 
by  PT 

by  2,  3,  4,  5,  and  PR 


by  PT 
by  □□ 
by  A 1  and  PR 
by  PR 


0 


by  PT 


7.  1-  □  UM  3  □(w2D(»tAwj)) 

8.  I-  □(u»a  3  {wi  Aw2))  3  (Du^  3  D(iwi  Aw2)) 

9.  I-  Dw t  D  (□w2  D  D(wi  Awj)) 

10.  I-  (□«<!  ADw2)  3  □(u>iAu>2) 


by  □□ 
by  A2 
by  7,  8,  and  PR 
by  PR 


11.  h  D(wiAiv2)  =  (OwiAOwz) 


by  5,  10,  and  PR 


T7.  I-  0{wlVw2)  =  (Owi  VC>w2) 
proof: 

1.  1-  m(~u>i  A — 102)  =  (□  ~W|  A  □  ~-w2)  by  T6 

2.  h  □  — '(•Wj  V  w2)  -  ~(~  □  ~ioi  V  ~  D  ~w2)  by  ER 

3.  I-  '~O(wiVt02)  =  ~(0  aiiVO  w2)  by  A1  and  PR 

4.  I-  Ofwi  V  w2)  =  (C>  iwi  V  O  W2)  by  PR 

Note  that  because  of  the  universal  character  of  □  it  can  be  distributed  over  A  (Theorem  T 6),  while 
O,  which  is  of  existential  character  can  be  distributed  over  V  (Theorem  T 7). 

T8.  I-  0(wiA«>2)  3  (Owi  AOw2) 

proof. 


1.  1-  O(toi  A  w2)  3  O  W\ 

by  PT  and  O  O 

2.  h  0(wi  A  w2)  3  O  w2 

by  PT  and  O  O 

3.  h  Ofwi  Aw2)  3  (O  ici  A  0  w2) 

by  l,  2,  and  PR 

T9,  h 

(□mi  VD®2)  3  D(«i|  V  w2) 

proof: 

1.  1-  □  Wy  D  □(»[  V  W2) 

by  PT  and  □□ 

2.  I-  Uw2  D  0(wiVw2) 

by  PT  and  □□ 

3.  1-  (Dw,  Vdw2)  3  □(»!  V *2) 

by  1,  2,  and  PR 

"3 

© 

T 

(□W1AOW2)  3  0(tciAtW2) 

proof: 


1.  I-  CD(i«i  3  ~w2)  3  (□  wi  D  □  — 1^2)  by  A2 

2.  I-  D~(w|  Aw2)  3  ~(IUtO|  A  ~  D~W2)  by  ER 

3.  T-  — 0(iniAtc2)  D  ~(Dm!  AOW2)  by  Al  and  PR 

4.  I-  (□»[  AOi»2)  3  <>(«)[  A  Wj)  by  PR 


another  proof  (without  using  ER): 

1.  1-  wi  3  (w2  3  (w  1  A  w2)) 

2.  h  □  Wi  3  □(w23(m1Awj)) 
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by  PT 
by  □□ 


3.  h  D(w2  D  («(  A  i«j))  ^  (Ouj  D  0(wi  4%)) 

4.  h  □»!  D  (Ol«2  3  0(ffl|  A«2)) 

5.  1-  (□»[  AOtt2)  3  O(l0iAW2) 


by  75 
by  2,  3,  and  PR 
by  PR 


The  following  derived  rules  correspond  to  proof  rules  existing  in  most  axiomatic  verification 
systems: 


Consequence  Rules  -  0  Q  and  □  Q 

h  Wi  D  »2 

1-  tfl|  3  W2 

1-  W2  3  0  103 

h  U)2  3  DW3 

h  w3  D  w4 

)-  M3  3 

h  «i|  D  Oii)< 

1-  ail  3  □»< 

proof  of  O  Q: 

1. 

h  Wi  D  w2 

given 

2. 

h  W2  3  O  w3 

given 

3. 

i-  W3  3  w4 

given 

4. 

h  0«l3  3  Oll( 

by  3  and  O  O 

5. 

h  W[  D  Ol»4 

by  1 

,  2,  4,  and  PR 

The  \2Q  rule  is  proved  similarly  by  the  □□-rule. 

Concatenation  Rule  -  <>  C  and  □  C 

Wi  D  O  w2 

1-  3  OM2 

h  w2  3  O  w3 

h  w2  3  Dies 

I-  »l  3  Owj 

1-  Ml  3  Dl»3 

proof  of  O  C: 

1. 

1-  toi  3  0  w2 

given 

2. 

h  W2  3  OW3 

given 

3. 

1-  Oui2  3  OOuij 

by  2  and  O  O 

4.  1 

h  0  v>2  3  O  W3 

by  7'3  and  P/? 

5. 

h  tuj  3  O103 

by  1,  4,  and  PR 

The  0(7  rule  is  proved  similarly  by  the  □□-rule. 
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igiiniiwumi  iii i; 


’ryv' 


3.  THE  O  (“NEXT”)  AND  U  (“UNTIL”)  OPERATORS 


Axioms; 


(71. 

h 

— ■  Ow  =  □  • — >w 

(72. 

h 

□(wi  D  w-j)  D  (Dtei  D  ll]u>2) 

(73. 

h 

□  w  D  to 

<74. 

1- 

O  • — -w  =  ~  O  w 

(75. 

1- 

0(u>l  3  w2)  D  (Ott|  D  Owz) 

(76. 

h 

□  to  3  O  vi 

(77. 

1- 

□  to  3  O  □  to 

(78. 

1- 

□(to  3  Oto)  3  (to  3  □  to) 

(79. 

h 

toi  U  to2  =  (to2  V  (toi  A  O(t0|  U  to2))] 

CIO. 

I- 

WiU  w2  3  O  to2. 

Axioms  C I  —  <73  arc  the  same  as  Al  —  A3  in  the  modal  system. 


Axiom  C4  establishes  O  as  self-dual.  Consequently  it  impiics  that  the  next  instant  exists  and 
is  unique,  and  restricts  our  models  to  linear  sequences  (no  branching). 


Axiom  C 5  is  the  analogue  of  (72  for  the  O  operator.  Axiom  (76  states  that  the  next  instant 
is  one  of  the  reachable  states,  f.e.,  it  is  also  part  of  the  future.  Axiom  Cl  is  a  weaker  version  of 
A4,  h  □  w  3  □  □  to,  and  can  be  used  together  with  (78  to  prove  A 4  as  a  theorem  in  this  system. 
Axiom  (78  is  the  “computational  induction"  axiom;  it  states  that  if  a  property  is  inherited  over 
one  step  transitions,  it  is  invariant  over  any  suffix  sequence  whose  first  state  satisfies  to.  Axiom  (79 
defines  the  until  operator  by  distribut'ng  its  effect  into  what  is  implied  for  the  present  and  what 
is  implied  for  the  next  instant.  Axiom  (710  simply  states  that  “u»i  until  to2"  impiics  that  to2  will 
eventually  happen. 


12 


Inference  rules: 


HI.  If  10  is  an  instance  of  a  propositional  tautology  then  h  w 

(Propositional  Tautology  -  PT) 

R2.  If  h  w\  D  to2  and  I-  i0|  then  I-  to2 

( Modus  Ponens  -  MP) 


J?3.  If  h  10  then  I-  Dio 


(□  Insertion  -  □  /) 


These  rules  are  identical  to  /Z1  —  i£3  of  the  modal  system.  Since  axioms  Cl,  C 2  and  6’3  are 
identical  to  axioms  >11,  A2  and  .43  and  we  will  show  later  that  axiom  44  is  derivable  in  this  system, 
it  follows  that  all  the  derived  rules  of  inference  and  the  theorems  in  the  modal  system  arc  also 
derivable  in  this  system.  Here  arc  several  additional  derived  rules: 


O  Insertion  -  O I: 

H  to 

1-  Oio 

proof. 

given 
by  □/ 
by  C6  and  MP 


1.  h  id 

2.  I-  Dio 

3.  h  0 10 


O  O  Rules 

h  U>1  D  V>3 

(a)  — n - ~ - 

*-  Oioj  D  Oio2 


(b) 


h  w  i  =  to2 


I-  OiO(  =  Oio2 


proof  of  (a): 


1.  h  toi  D  io2  given 

2.  h  O(t0i  O  io2)  by  Ol 

3.  I-  Oi«i  3  OtKj  by  C5  and  MP 


Rule  (b)  follows  by  propositional  reasoning. 

Computational  Induction  Rule  -  Cl 

1-  to  D  Oio 
I-  to  D  Dto 


1.  I-  w  3  O  W 

2.  1-  C3(ia  3  Ow) 

3.  1-  □(«>  3  Ow)  3  (w  3  □  w) 

4.  w  3  Ow 


given 
by  □/ 
by  C8 
by  2,  3,  and  MP 


1.  h  Ow  D  w 

2.  (-  — w  3  ~Ou> 

3.  t-  — w  3  O  ~«j 

4.  h  — w  3  0~ui 

5.  h  — w  3  —  O  w 

6.  H  Ow  3  w 


given 
by  PR 
by  C4  and  PR 
by  Cl 
by  Cl  and  PR 
by  PR 


proof: 

1.  h  »i  3  W2 

2.  h  t»2  3  Ol»3 

3.  t-  v> 3  3  Ml  4 

4.  I-  O  W3  3  O  W4 

5.  h  W\  3  Ow\ 

Note  that  wc  do  not  have  a  O  concatenation  rule. 

A  simple  theorem  of  this  system  is: 

Til.  h  O w  3  Ow 
proof: 

1.  I-  (□ — w)  3  (0~w) 

2.  t-  (~0~mi)  3  (~0~tti) 


given 
given 
given 
by  OO 
by  l,  2,  4,  and  PR 


by  C6 
by  PR 


3.  b  Oil)  D  O w 


by  Cl,  C 4,  and  PR 


T12.  b  Uw  3  DDio 
proof: 

1.  I-  Qid  3  OOto  by  C7 

2.  bQio3C3DiD  by  Cl 

This  is  the  “missing”  axiom  A4.  We  have  all  axioms  and  rules  of  the  previous  system,  therefore 
we  can  deduce  all  theorems  and  derived  rules  of  the  modal  system. 

The  following  special  rule  is  very  useful  in  proving  until  theorems: 


Next  to  Present  Rule  -  NP 

b  (Owl  =  O  w2)  3  (roi  =  u)2) 

b  id i  D  0(ioi  A  to2) 

b  11)2  3  0(vt\  A  10a) 

I-  U|  s  V) 


proof. 

1.  h  u)i  3  0(«)i  A  io2) 

2.  b  ii)2  3  0(idi  A  W2) 

3.  b  (ii)i  V  id2)  3  <0(ii)i  A  u)j) 

4.  b  (idi  A  id2)  3  (id  1  =  id2) 

5.  1-  0(wi  A  W2)  3  <>(«)!=  11)2 ) 

6.  b  0(idi  =  id2)  3  (id  1  =  id2) 

7.  b  0(tDi  =  id2)  3  (idi  =  Wg) 

8.  b  (lD[  V  1D2)  3  (idi  =  id2) 

9.  h  *1  s  idk 


given 

given 

by  1,  2,  and  PR 

by  PT 
by  OO 

given 
by  BI 

by  3,  5,  7,  and  PR 
by  PR 


We  extend  now  the  Equivalence  Rule  (ER)  to  handle  the  O  and  U  operators. 


Equivalence  Rule  -  ER 

Let  w'  be  the  result  of  replacing  an  occurrence  of  a  subformula  iq 
in  id  by  u2.  Then 

b  i)j  =  i)2 
b  id  =  id' 
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proof: 


As  before,  the  proof  is  by  induction  on  the  structure  of  w.  The  eases  where  w  is  w i  or  of  form 
~m,  u i  V  W2>  «i  3  M2,  etc.  arc  treated  as  in  the  KR  derived  rule  above. 

Cast:  w  is  of  form  On.  We  assume  that  if  P  vi  =  v2,  then  I-  tt  =  u'.  Then  by  the  O  O-rule 
l-  OusOa',  i.e.  I ~  w  =  w'. 

The  cases  where  w  is  of  form  □  u  and  O  u  arc  proved  similarly  by  the  □  D-rule  and  O  O-rule, 
respectively.  The  case  that  w  is  of  form  lij  U  u2  needs  a  more  detailed  proof. 

Case:  w  is  of  form  u\  U  u2.  We  assume  that  if  t-  =  «2i  then  1-  Mj  =  u\  and  h  u2  =  u2. 
We  attempt  to  use  the  Next  to  Present  derived  rule  (NP)  taking  toj  to  be  U  u2  and  w2  to  be 
u\  U  u2. 


1. 

P 

«1  =  «1 

induction  hypothesis 

2. 

P 

u2  =  u2 

induction  hypothesis 

3. 

P 

Mj  U  u2  =  (w2v(u[  A  0(m [  U  m2)]) 

by  (79 

4. 

P 

u\  U  u2  =  [ u2  V  (a',  a  0(m',  U  m2))] 

by  (79 

5. 

P 

m',  U  u2  =  [u2  V  (mi  A  0(u\  U  m2))| 

by  1,  2,  4,  and  f*/i 

6. 

P 

[0(w|  U  U2)  =  O (u[  U  M2)j  3  [(«!  U  M2)  =  (M|  U  u'2)| 

by  3,  5,  and  PR 

7. 

P 

U  u2  3  O  u2 

by  (710 

8. 

P 

u2  3  l(u [  U  u2)  A  [u\  U  u2)j 

by  3,  5,  and  PR 

9. 

P 

M|  U  «2  3  0[(mi  U  u2)  A  (m',  U  m2)] 

by  7,  8,  and  OQ 

10. 

P 

u\  U  u2  3  O  m2 

by  C JO 

11. 

P 

O  «2  =  O  M2 

by  2  and  O  O 

12. 

P 

u\  U  m2  3  O  «2 

by  10,  11,  and  PR 

13. 

P 

&  u2  3  0[(ui  ^  U2)  A  (m',  U  m2)] 

by  8,  12,  and  O  Q 

14. 

1- 

(«I  U  m2)  =  (a',  U  m2) 

by  6,  9,  13,  and  NP 

This  concludes  the  proof.  | 

“next”  theorems 

T13.  P  0(«>iAmi2)  ==  (O  «>i  A  O  w2) 

proof. 

1.  P  0(«;,  3  ~w2)  3  (Oi»i  D  0~w2)  by  (75 

2.  t-  ~(Owi  3  O — w2)  3  ~  0(tui  3  ~U)j)  by  PR 

3.  t-  ~(Omi  3  ~Ow>2)  3  O  ~(tuj  3  ~io2)  by  (74  and  PR 

4.  P  (0«,  AOwj)  3  0(wi  AW2)  by  ER 

P  (®i  Atoj)  3  wi 


5. 
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by  PT 


6.  h  0(wi  A«2)  D  Ow\ 

7.  h  (to i  A  12/2)  3  w2 

8.  I-  0(u/i  A  12/2)  3  0 12/2 

9.  h  0(u/i  A 12/2)  ^  (O12/1  A  O12/2) 

10.  t-  0(12/1  A 12/2)  =  (0 12/1  A  0 12/2) 


ri4.  h  0(12/1  v  12/2)  =  (012/t  v  O12/2) 

proof. 

1.  h  0(~12/i  A  — 12>2)  =  (0~12/i)A(0~12/2) 

2.  h  0(~12/I  A  ~l2/2)  =  (<~  Ol2/t)  A  (~  O12/2) 

3.  h  O — (12/1  V 12/2)  =  { — 0 12/1)  A  (~  0 12/2) 

4.  1-  —  0(12/1  V  12/2)  =  — (O  t2/i  V  0 12/2) 

5.  I-  0(k/i  V  12/2)  =  (Ou/i  V  0 12/2) 


T15.  t-  0(«/i  D  «/2)  s  (Ot«i  3  O12/2) 

proof: 

1.  1-  o(~i//i  v  w/2)  =  (O  — 1221 )  v  (O12/2) 

2.  (-  0(~wlV  w2)  =  (~  O  wi)  V  (0 12/2) 

3.  h  0(12/1  3  22/2)  =  (0 12/1  3  Ol2/2) 


by  O  O 
by  PT 
by  O  O 
by  6,  8,  and  PR 

by  4,  9,  and  PR 


by  7’ 13 
by  <74  and  PR 
by  ER  and  PR 
by  <74  and  PR 
by  PR 


by  T14 
by  <74  and  PR 
by  ER  and  PR 


T 16.  H  0(12/1=12/2)  =  (Owi 

proof: 


Ow2) 


1.  h  (0(12/1  3  U/2)  A  0(12/2  312/1  )1  =  ((O  12/,  30  12/2)  A  (012/2  3  0  12/,)] 

1  '  by  7  15  and  PR 

2.  h  0[(i2/,  3  12/2)  A  (n/2  ^  ti/,)l  s  ((0 12/,  3  O12/2)  A  (0 12/2  3  0 12/,)^^  ^  ^ 


3.  h  0(12/ 1  =  12/2)  =  (0 12/1  s  0 12/2) 


Vtn  I?  P  on  A  PR 


T 17.  J-  OD 12/  =  DOiw 
proof: 


1.  h  0 12/  3  (12/  3  0 12/) 

2.  H  D0 12/  3  □(«/  3  0 12/) 

3.  I-  0(12/  3  0 12/)  3  O  □(«/  3  Oi2/) 

4.  I-  O  0(12/  3  O  12/)  3  0(12/  3  □  12/) 

5.  I-  0(12/ 3  □«/)  3  (O12/ 3  ODw) 

8.  h  □  0 12/  3  (O12/  3  ODi2/) 

7.  (-  DOw  D  Ow 

8.  h  DOu  3  ODid 


by  PT 
by  □□ 
by  Cl 
by  <78  and  O  O 
by  <75 

by  2,  3,  4,  5,  and  PR 
by  <73 
by  6,  7,  and  PR 
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9.  1 

b 

OOw  D  O  O  Ow 

10. 

b 

OOw  o  PODiu 

11. 

b 

ODw  D  Ow 

12. 

b 

□  ODw  D  DOui 

13. 

b 

ODw  D  □  O  w 

14. 

b 

ODw = DOw 

OO 

w 

=  O  O  w 

proof: 


1. 

1- 

O  □  =  □  O  ~w 

2. 

1- 

~OOw = ~OOw 

3. 

OOw = OOw 

i 

i 


by  07  and  O  O 
by  Cl 
by  C3  and  O  O 
by  □□ 
by  10,  12,  and  PR 

by  8,  13,  and  PR 


by  T 17 
by  Cl,  C4,  and  ER 
by  PR 


TI9.  b  Ow  =  (w  A  O  □  w) 
proof: 


t. 

1- 

□  w  D  w 

by  C3 

2. 

b 

□  w  3  ODw 

by  C7 

3. 

b 

□  v)  3  (w  A  O  □  w) 

by  1,  2,  and  PR 

4. 

b 

ODw  3  O(wAOPw) 

by  OO 

5. 

b 

(wAODw)  3  0(»AOQi») 

by  PR 

6. 

b 

(w  A  O  □  w)  3  □(«;  A  O  □  w) 

by  Cl 

7. 

b 

□(wAOPw)  3  (PwAPOPw) 

by  T6 

8. 

b 

P(w  AOQw)  3  □  w 

by  PR 

9. 

b 

(w  A  O  □  w)  3  Dw 

by  6,  8,  and  PR 

10. 

b 

P  w  =  (w  A  O  P  w) 

by  3,  9,  and  PR 

Ota  = 

=  (w  V  O  O  w) 

proof: 


1. 

b 

P~w  =  ( — w  A  OP~w) 

by  TI9 

2. 

b 

—  Ow  =  — (w  V  — OP~ta) 

by  Cl  and  PR 

3. 

b 

~Ota  =  — (w  V  OOw) 

by  C4,  Cl,  and  ER 

4. 

b 

Ow  =  (w  V  OOw) 

by  PR 

T21.  b  (w  A  O — w)  3  0(w  A  O — w). 

This  is  the  dual  of  the  “computational  induction”  axiom  C8.  It  states  that  if  w  is  true  now 
ami  is  false  in  the  future,  then  there  exists  some  instant  such  that  w  is  true  at  that  instant  and 
false  at  the  next. 

proof: 

1.  b  P(w  3  Oto)  3  (w  3  Ow)  by  C8 
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2.  I-  ~(to3lI3t0)  3  — □(«  3  On) 

3.  I-  (to  A  -^Dto)  3  0(to  A  ~Ow) 

4.  I-  (to  A  O  ~to)  3  O(to  A  O — to) 


by  PR 
by  T4  and  ER 
by  T4,  C4,  and  ER 


“until”  theorems 

T22.  I-  (Owi)U[Ov/2)  =  0(wtUw2) 

Denoting 

w i  :  (Oioi)li(Oto2) 
t02  :  0(wiUw2) 

we  have  to  show  h  w*  =  w^.  We  will  use  the  Next  to  Present  derived  rule  (A f P). 
proof: 


1. 

h 

to*  =  Ot02  V  (O to i  A  O10*) 

by  C9 

2. 

h 

O(t0illt02)=  O(t02  V  (lOl  A  0(tOlZ/t02))) 

by  C9  and  O  O 

3. 

h 

102  =  O  ttf2  v(0»|  A  Oto2) 

by  2,  7’ 13,  7’14,  and  PR 

4. 

h 

(Of«I  =  Ot02)  3  (to*  ==  to  2 ) 

by  1,  3  and  PR 

5. 

h 

O w2  3  (to*  At02) 

by  1,  3  and  PR 

6. 

h 

O  Oto2  3  0(to*  A  to2) 

by  O  <0 

7. 

h 

(OtoiliOto2)  3  OOtoj 

by  CIO 

8. 

h 

to!  3  O(t0|  A  to2) 

by  6,  7  and  PR 

9. 

h 

W\Uw2  3  Ot02 

by  CIO 

10. 

h 

O(t»llit02)  3  O0 102 

by  9,  OO,  and  7M8 

11. 

h 

*  *  *. 

10 2  3  0(10,  A  tO 2  ) 

by  6,  10,  and  PR 

12. 

h 

*  * 
to ,  =  w2 

by  4,  8,  11  and  NP 

T2Z.  H  (toi  A  Wi)Uw3  =  [(toilltoa)  A  (toa^to3)j 

Denoting 

to*:  (toi  A  toa)iltoj 

toj  :  (to i  II1V3)  A  (tojlitos) 
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*  * 

wc  have  to  show  h  w{  =  w2.  We  will  again  use  the  derived  rule  NP. 
proof: 


1. 

b 

w*  =  w3  V  ((^l  A  w2)  A  Ow*) 

by  C9 

2. 

b 

W[  Uw3  ~  W3  v  (w|  A  0(wiUws)) 

by  C9  ( 

J 

3. 

b 

W2IIW3  ~  W3  V  (w2  A  0(w2Uw3)) 

by  C9  j 

4. 

b 

(w\ UW3)  A  ( w2Uv>3 )  =  W3  V  ((u»!  At«j)  A  0(wiUw3)  A  0(w2Uw3))  1 

wl  =  U)3  V  ((un  Aie2)  A  Owj) 

by  2,  3,  and  Pi? 

5. 

b 

by  4,  T13,  and  Pi? 

6. 

b 

(Ow,  =  Otlljj  3  (w,  =w2) 

by  1,  5,  and  PR 

7. 

b 

W3  3  ( w *  A  wl) 

by  1,5,  and  Pi? 

8. 

b 

O  W3  3  <>(«/,  AW2) 

by  O  O 

9. 

b 

(lW,  A  W2)UW3  3  O  VJ3 

by  CIO 

10. 

b 

w\  3  ^(wl  Awl) 

by  7,  9,  and  PR 

11. 

b 

w  1U.W3  3  O  W3 

by  (710  •  ! 

12. 

b 

(wiUw 3)  A  ( W2UW3 )  3  OW3 

by  Pi?  j 

13. 

b 

w2  3  0(w,  A  w2) 

by  8,  12,  and  Pi?  j 

14. 

b 

*  * 
w ,  ~  w2 

by  6,  10,  13,  and  NP  J 

4.  QUANTIFIERS 

Since  we  intend  to  use  terms  and  predicates  in  our  reasoning  wc  have  to  extend  our  system  to 
admit  individual  variables,  terms  and  quantification.  Let  us  consider  additional  axioms  involving 
quantifiers  and  their  interaction  with  modalities. 

Axioms: 
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In  these  axioms  x  is  any  global  individual  variable.  Axioms  D\  and  D 2  arc  the  usual  predicate 
calculus  axioms:  D\  defines  3  as  the  dual  of  V  and  D2  is  the  instantiation  axiom.  Axiom  D 3  is 
known  as  the  Barcan  formula  connecting  the  two  universal  operators  V  and  □.  Axiom  DA  is  the 
Barcan  formula  for  the  O  operator.  The  axioms  state  that  since  both  operators  have  universal 
characteristics  they  commute. 

A  term  t  is  said  to  be  globally  free  for  x  in  w  if  substitution  of  t  for  all  free  occurrences  of 
x  in  vt:  (a)  does  not  create  new  bound  occurrences  of  (global)  variables,  and  (b)  does  not  create 
new  occurrences  of  local  variables  in  the  scope  of  a  modal  operator.  A  trivial  case:  if  t  is  x  itself, 
then  t  is  free  for  x.  Condition  (b)  in  this  definition  is  essential.  For,  otherwise,  we  could  derive  the 
formula 


(Vx.  <0(x  <  y))  D  0(y  <  y), 

which  is  not  valid  for  a  local  variable  y. 
An  additional  rule  of  inference  is: 


Inference  rule: 


RA.  V  Insertion  -  V/ 

t-  Wl  D  W2 

where  x  is  not  free  in  rwj 

1-  W{  3  'ix.VJ‘2, 

We  have  the  derived  rule 


Instantiation  Rule  -  INST 

h  u;(x) 

I-  u/[t) 

where  t  is  any  term  globally  free  for  x  in  w. 


proof. 

1.  1-  w(x) 

2.  I-  Vz.«/(x) 

3.  I-  (Vx.w(x))  D  w(t) 

A.  (-  w(<) 


given 

by  V/  (taking  to  be  true) 
by  D2 
by  2,  3,  and  MP 


The  following  arc  the  duals  of  1)2  and  RA  for  the  existential  quantifier  3: 
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T 24.  F  tu(£)  3  3x.u;(x) 

where  t  is  any  term  globally  free  for  x  in  w. 

proof: 

1.  I-  A/x.  ~  to(x))  3  ~iu(f)  by  D2 

2.  F  (-~3x.w(x))  3  ~w(t)  by  Dl  and  PR 

3.  F  w(t)  3  3x.u>(x)  by  P/? 


Note  that  we  need  here  again  the  additional  condition  (b)  that  the  substitution  of  t  for  x  in  w 
does  not  create  new  occurrences  of  local  variables  in  the  scope  of  a  modal  operator.  For  otherwise, 
we  could  deduce  from  7'24 

0(y  <  y)  3  3 u.  □(?/  <  u), 
which  is  not  valid  for  a  local  variable  y. 


3  Insertion  3/ 

F  U)j  3  w 2 
h-  3x.twi  3  rw 2 

where  x  is  not  free  in  w^. 


proof: 

given 
by  PR 
by  VI  (Ri) 
by  I)  1  and  PII 
by  PR 


1.  F  Ml  i  3  III  2 

2.  I-  ~102  3 

3.  I-  ~U>2  3  Vi.  ~  W i 

4.  F  ~Ul2  3  ~3x.tWi 

5.  F  3x.w;i  3  m>2 


W  Rules 

f-  3  fflj 

(*)  - 

I-  Vx.Wi  3  Vx.v>2 


V)\  =  V)2 

(b)  - 

F  Vx.w\  =  Vx.m/2 


proof  of  (a): 


1. 

F 

Vx.w\ 

3  w  i 

by  02 

2. 

F 

V>\  3 

Wj 

given 

3. 

F 

Vx,w  i 

3  U»2 

by  PR 

4. 

F 

Vx.uii 

3  Vx.Wi 

by  VI 

Rule  (b)  then  follows  by  propositional  reasoning. 


33  Rules  : 

(-  u>i  3  W2 

(a)  - 

b  3x.wi  3  3x.W2 


(b) 


h  t»l  =  uij 


b  3x.wi  =  3x.W2 


proof  of  (a): 

1.  b  «q  3  1i>2 

given 

2.  b  (~w>2)  3  (~uq) 

by  PR 

3.  b  (Vz.  ~to2)  3  (Vz.~uq) 

by  W 

4.  b  (~3z.t02)  3  (~3z.uq) 

by  Dl  and  PR 

5.  b  3x.w\  3  3x.w2 

by  PR 

Rule  (b)  then  follows  by  propositional  reasoning. 

The  last  two  rules  are,  of  course,  classical  rules  of  the  predicate  calculus,  and  are  brought  here 
only  for  the  sake  of  completeness  and  later  reference. 


We  extend  now  the  Equivalence  Rule  ( ER ),  given  above  for  propositional  formulas,  to  handle 
predicate  formulas  as  well. 


Equivalence  Rule  -  ER 

Let  w'  be  the  result  of  replacing  an  occurrence  of  a  subforinula  tq 
in  w  by  v2.  Then 

b  v\  =  v2 
b  w  =  w1 


proof. 

The  proof  is  by  induction  on  the  structure  of  w.  The  cases  where  w  is  wj  or  of  form 
«i  V  u2,  «i  3  «2,  Dm,  Ok,  O  u  and  u\Uu2,  are  treated  as  before. 

Cow.  v>  is  of  form  Vz.h.  Wp  assume  that  if  b  iq  •=.  v2,  then  b  u  =5  Then  by  the  W-rule 
b  Vi.ti  =  Vx.u' ,  i.e.  b  w  =  w'. 

The  case  where  w  is  of  form  3x.u,  is  proved  similarly  by  the  33-rule.  | 


Deduction  Rule  -  DED 


U>i  '  V)2 


b  (□  uq)  3  w2 

where  the  W  rule  (Rule  /?4)  is  never  applied  to  a  free  variable  of 
re i  in  the  derivation  of  uq  b  w2. 
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That  is,  if  under  the  assumption  u>i  we  can  derive  P  w2,  where  rule  #4  is  never  applied  to  a  free 
variable  of  W\ ,  then  there  exists  a  proof  establishing  P  (Dum)  3  w2.  We  clearly  must  also  be 
careful  in  using  any  theorem  or  derived  rule  such  that  the  V/  rule  was  used  in  its  proof. 


The  additional  □  operator  in  the  conclusion  is  obviously  necessary  since  in  general  w\  P  w2 
does  not  imply  P  u>i  D  w2.  For  example,  obviously  w  P  Dw  is  true  (an  immediate  application  of 
Rule  R3:  h  w  by  assumption  and  therefore  I-  Ou>  by  □/);  but  1-  w  3  Du;  is  false. 


proof: 

The  proof  of  the  modal  Deduction  Rule  follows  the  same  arguments  used  in  the  proof  of  the 
classical  Deduction  Rule  of  Predicate  Calculus.  We  replace  each  line  P  a,  in  the  proof  of  u/i  P  w2 
by  the  line  h  Qui  3  it,,  and  show  that  this  transformation  preserves  soundness.  That  is 


given 


show 


P  «i 
f-  W2 


I-  (Diai)  3  ui 
P  (Dw i)  3  M2 


P  M, 


I-  (DlMl)  3  Mi 


I-  Um  h  (□  M>i)  3  Mm 

t.e.  h  w2  t.e.  h  (Dwi)  D  w2 

where  m<  is  cither  the  assumption  w\,  an  axiom,  or  derived  from  previous  a/s  by  some  rule  of 
inference. 

The  proof  is  by  a  complete  induction  on  i.  We  assume  that  for  all  k  <  i,  h-  (Dwi)  D  Uk,  and 
prove  that  h  (Dwi)  3  u^. 

Case:  u\  is  an  axiom. 

1 .  I-  M, 

2.  I-  (□  w\)  D  m i 

Note  that  h  w'  implies  P  w  3  w'  for  any  w,  by  propositional  reasoning. 

Case:  u,  is  w\. 

1.  I-  (□«/!)  3  wi  by  C3 


axiom 
by  PR 


Case:  u,  is  obtained  by  Rule  R I,  t.e.,  u i  is  an  instance  of  a  tautology. 

by  PT 
by  PR 


1 .  P  M, 

2.  P  (□  Mil)  3  Ui 


Case:  Ui  is  obtained  by  Rule  R2  (using  previous  P  u*  and  P  a*  3  it,-). 
1.  p  (□  W|)  3  Mfc 
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induction  hypothesis 


2.  h  (□  »i)  3  (u*  _)  u,) 

3.  h  (□  i»i)  3  Ui 


induction  hypothesis 
by  1,  2,  and  PR 


Case :  u i  is  obtained  by  Rule  /?3  (using  previous  h  ut),  t.e.,  u i  is  Du*. 


1. 

h 

(du/t)  3  Ufc 

induction  hypothesis 

2. 

1- 

(d  d  u>i)  3  du/t 

by  dd 

3. 

1- 

(d  tui)  3  (d  d  iuj) 

by  7’12 

4. 

1- 

(d  W[)  3  dujj 

by  2,  3,  and  PR 

Case:  u ,•  is  obtained  by  Rule  R\  (using  previous  h  u  3  v,  i.e.  ujt,  to  get  I-  u  3  Vx.v,  t.e.  U{,  where 
z  is  not  free  in  u). 

By  our  deduction  rule  assumption,  we  know  also  that  x  is  not  free  in  w\. 


1.  h  (du>i)  3  (u  3  u) 

2.  1-  ((diot)Au)  3  v 

3.  H  (([I]iOi)Auj  3  Vx.u 

4.  I-  (Dwi)  3  (u  3  Vx.u) 


induction  hypothesis 
by  PR 
by  R4 

(since  x  is  not  free  in  u  or  u>i) 
by  PR  | 


A  different  approach  to  coping  with  the  application  of  □  insertion  rule  (Rule  R 3)  is  to  forbid 
it  altogether.  We  then  get  the  following  restricted  deduction  rule: 


Restricted  Deduction  Rule  —  RDED 


u>!  1-  w*i 


I-  W\  3  u/2 

Provided  □/  (Rule  R3)  is  never  applied  and  V/  (Rule  7?4)  is  never 
applied  to  a  free  variable  of  wi  in  the  derivation  of  w\  1-  w 2. 


Here,  we  are  not  allowed  tc  use  rule  □  /  or  any  theorem  or  derived  rule  that  □  /  was  used  in  its 
proof. 

The  proof  of  RDRD  follows  exactly  that  of  DED  except  that  the  case  in  which  Ride  R3  is 
applied  does  not  arise. 


Predicate  Theorems 

T25.  H  (~Vx.u/)  =  (3x.  ~  w) 

proof: 


1.  I-  ( - w)  =  w  by  PT 

2.  H  (Vx.  ~  ~iu)  ==  Vx.tu  by  W 
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3.  I-  ( — 3*.  ~  to)  =  Vx.ro 

4.  H  ~Vx.ro  =  3x.  ~  to 


by  D 1  and  PR 
by  PR 


7’26.  I-  Vx.(tO)  At02)  =  (Vx.toj  A  Vx.roj) 

proof: 

1.  I-  Vx.toj  3  roi 

2.  h  Vx.t02  3  t02 

3.  h  (Vx.ro i  A  VZ.W2)  3  (roi  A  102) 

4.  I-  (Vx.roi  A  VZ.W2)  3  Vx.(roi  A  102) 

5.  1-  (roi  A  ro2)  3  to, 

6.  I-  Vx.(tO|Aro2)  3  Vx.roi 

7.  h  (roi  A  W2)  3  t02 

8.  h  Vx.(roiAt02)  3  Vx.ro2 

9.  I-  Vx.(roiAro2)  3  (Vx.roi  A  Vx.102) 

10.  h  Vx.(to|Ai02)  =  (Vx.roi  A  Vx.ro2) 

T27.  1-  3x.(roiVro2)  =  (3x.roi  V  3x.t02) 

proof: 

1.  1-  Vx.(~roi  A  ~u/2)  ~  (Vx.  ~  toj  A  Vx.  ~  102) 

2.  h  Vx.  ~(?0[  V  W2)  =  (Vx.  ~totAVx.  —  102) 

3.  h  ~3x.(ro1  V  ro2)  s  (~3x.roj  A  ~3x.t02) 

4.  h  3x.(tot  V  ro2)  =  (3x.t0i  V  3x.t02) 

728.  h  (Vx.  □  to)  =  (DVx.ro) 
proof: 


1.  I-  (Vx.ro)  3  to 

2.  I-  (DVx.ro)  3  Oto 

3.  1-  (DVx.ro)  3  (Vx.  Dro) 

4.  h  (Vx. Dro)  3  (DVx.ro) 

5.  1-  (Vx.  0 10)  =  (DVx.ro) 


alternative  proof  of  H  (DVx.ro)  3  (Vx.  Dro) 

1.  H  Vx.ro 

2.  h  to 

3.  h  D  to 

4.  I-  Vx.  Dro 


This,  Vx.ro  h  Vx. Dro  and  by  the  deduction  rule 
5.  t-  (DVx.ro)  3  (Vx.  Dro) 


by  D2 
by  D2 
by  1,2,  and  PR 
by  V/ 

by  PT 
by  W 
by  PT 
by  W 
by  6,  8,  and  PR 

by  4,  9,  and  PR 


by  726 
by  ER 
by  D\  and  PR 
by 


by  3, 


by  D2 
by  DD 
by  V/ 
by  1)3 

and  P ji 


assumption 
by  D2  and  MP 
by  □/ 
by  V/ 
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T29.  1- 

(3x. 

Ora)  =  (O  3x.w) 

proof. 

1. 

1-  (Vx.  □~w)  =  (CIVx.  ~xe) 

by  T28 

2. 

1-  (Vi.~Ow)  =  (□~3x.te) 

by  Cl,  Dl,  and  Eli  (twice) 

3. 

1-  (~3x.  O  w)  =  ( — O  3x.w) 

by  Cl,  Dl  and  PR 

4. 

1-  (3x.  O  io)  =  (OBx.u;) 

by  PR 

T30.  h 

(OVx.io)  =  (Vi.  O  w) 

proof. 

1. 

1-  (Vx.  Ou>)  3  (OVx.w) 

by  £>4 

2. 

t-  Vx.w  D  w 

by  D2 

3. 

b  (OVr.w)  D  Ow 

by  O  O 

4. 

h  (OVx.w)  D  (Vx.Oie) 

by  V/ 

5. 

b  (Vx.  Ow)  =  (OVx.tu) 

by  1,  4,  and  PR 

T31.  h 

(0  3x.w)  =  (3x.  Ow) 

proof. 

I. 

b  (Vx.  0~w)  =  (O  Vx.  ~  «/) 

by  T30 

2. 

b  (Vx.  ~  O  w)  =  (0~3x.u>) 

by  C4,  Dl,  and  ER 

3. 

b  ( — 3x.  Ow)  =  (~OBx.u/) 

by  (74,  Dl,  and  PR 

4. 

1-  (3x.Ow)  =  (OBx.w) 

by  PR 

Theorem  7'28  implies  the  commutativity  of  V  with  □:  Both  have  a  universal  character,  with  one 
quantifying  over  individuals  and  the  other  quantifying  over  states.  Similarly,  Theorem  7’29  implies 
the  commutativity  of  3  with  O.  The  last  two  theorems  (T30  and  T31)  imply  the  commutativity 
of  V  and  3  with  O. 


5.  EQUALITY 


Equality  is  handled  by  the  following  axioms: 


Axioms: 


El.  J-  t  =  t  for  any  term  t 

E2.  h  (t|  =  <2)  D  =  «>(<!, <2)1 

and  ti  is  any  term  globally  free  for  <i  in  w. 


Axiom  El  states  the  reflexivily  of  equality.  Axiom  E 2  states  the  nubstitutivity  property  of 
equality.  We  use  w((|,/2)  to  indicate  that  t2  replaces  tomt  of  the  occurrences  of  t\  in  w. 
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Recall  that  a  term  t2  is  said  to  be  globally  free  for  <|  in  w  if  substitution  of  t2  for  all  free 
occurrences  of  t\  in  w  :  (a)  does  not  create  new  bound  occurrences  of  (global)  variables,  and  (b) 
does  not  create  new  occurrences  of  local  variables  in  the  scope  of  a  modal  operator. 

Note  that  the  classical  axiom  for  substitutivity  of  equality  E2 
h  (<i  =  <2)  3  =  w(ti,*2)l 

(where  t2  is  free  for  ti  in  w)  is  not  correct  if  w  contains  modal  operators.  We  could  take  w(t\,t2) 
to  be  □(<!  =  <2)  and  deduce  from  E2 

(-  (<,  —  t2 )  D  [0(1 1  =  <()  =  □(£[  =  t2)], 


t.e.. 


b  (<t  =  h)  3  0(<i  =  t2), 

which  is  not  a  valid  statement  (since  <t  =  t2  may  contain  local  variables).  Rut  we  have  the  following 
theorem  for  arbitrary  formulas. 


T 32.  Substitutivity  of  Equality 

l-  □(<!  =  <a)  D  [w(t(,*i)  ==  w(fi,<a)] 

where  t2  is  free  for  ty  in  w. 
proof. 

By  induction  on  the  structure  of  w. 

Case :  w  contains  no  modal  operators.  Then 

1.  h-  (<i  =  t2)  D  [w(<i,*i)  =  to(<i,£2)) 

2.  h  □(<,  =  t2)  D  (t,  =  t2) 

3.  I-  0(t,  —t2)  D  [«)(<!,<,)  =  tw(fi,<2)) 

Case:  w  is  of  the  form  □  u.  Then 

1.  h  D(ii  =  t2)  D  [«(<,,«,)  =  u(t|,{2)j 

2.  1-  □(<!  =  t2) 

3.  h  u(t,,t,)  =  u(t,,t2) 

4.  I-  □ti(t|,{|)  =  □«(<!,  t2) 

Thus,  0(1|  =  t2)  □«(<!,<!)  =  □u(ti,t2) 

4.  h  00(t,=t2)  D  {□«(<,,*,)  =  Ou(t,,t2)] 


by  E2 
by  (73 
by  MP 


induction  hypothesis 
assumption 
by  MP 
by  □□ 
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by  DED 


5.  I-  □(<,  =h)  3  !□«(<,,«,)  =  □«(<!,  t2)] 


by  T 2  and  PR 


The  cases  in  which  w  is  of  the  form  Ou,  On,  Vx.u,  and  3x.u  are  treated  similarly,  using  the 
O  O-rule,  the  OO-rule,  the  W-rule,  and  the  33-rule,  respectively. 

Case:  w  is  of  the  form  uU  v. 


1. 

2. 

3. 

4. 

5. 

6. 


h  □(<!  =<2)  3  =  “(*11^2)] 

I-  Illjii  =  <2)  3  ,  <2)] 

h  □(<!  =  <2) 

h  v(ti,ti)  =  v(ti,ti) 

h  [u(ti,ti)U  v{tuti)\  ==  v(ti,ta)l 


induction  hypothesis 
induction  hypothesis 
assumption 
by  1,  3,  and  MP 
by  2,  3,  and  MP 
by  4,  5,  and  ER 


Thus,  □(*(  =  h)  I"  U  v(ti,fi))  =  (u(i,,t2)  U  v(«i, <2)) 


7. 


8. 


h 

h 


Q  Q(ti  —  t<i)  3 

□(tt  =  t2)  3 


((u(ti,ti)  U  v{ti,ti))  =  (u(£i,t2)  U  v(ti,t2))] 

by  DED 

[(u(ti,  ti)  U  w(<i,i|))  =  (u(tut2)U  v(ti,t2))] 

by  T2  and  PR  | 


T33.  Commutativity  of  Equality 

h  (<1  =  *2)  3  (<2  =  h) 


proof: 


1.  h  =  f2)  3  [(<i  =  <1}  =  (<2  =  fi)| 

2.  h  t\  = 

3.  1-  (<1  =  <2)  3  (<2  =  *l) 


by  E 2 
by  El 
by  1,  2,  and  PR 


T34.  Transitivity  of  Equality 

H  [(<1  =  <2)  A  (£2  —  (3)]  3  (ii  =  <3) 


proof: 


1.  I-  (t  1  —  <2)  3  ((ti  =  <3)  =  ((2  =  t3 )J  by  E2 

2.  I-  [(tj  =  {2)  A  {h  —  *3)]  3  (<i  =  *3)  by  PR 

T35.  Term  Equality 

(o)  h  D(ti  =  t2)  3  (r(ti)  =  T(t2))  for  any  term  r 

(6)  I-  (<i  =  h)  3  (r(t,)  =  r(<2))  where  r  docs  not  contain  the  next  operator. 
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Here,  r(t 2)  is  the  result  of  replacing  an  occurrence  of  t\  in  r  by  1 2. 
proof  of  (a): 

1.  I-  □(<,  =  t2)  D  [(r(t,)  =  r(t2))  =  ( r(t2 )  =  r{t2))\ 

2.  I-  r(f2)  =  r{t2) 

3.  h  □(<!  =  <2)  D  (r(t[)  =  t(12)) 


proof  of  (b): 

1.  h  (<1  =  <2)  D  [(r(<i)  =  t(<2))  =  (t(<2)  =  r(t2))] 

2.  h  t(<2)  =  r(<2) 

3.  h  (t|  =  <2)  D  (r(l,)  =  t(<2)) 


by  T32 
by  El 
by  1,  2,  and  PR 


by  E 2  (no  O  in  t) 
by  El 
by  1,2,  and  PR 


6.  FRAME  AXIOMS  AND  RULES 


The  use  of  the  next  operator  O  applied  to  terms  is  governed  by  the  axioms: 


Axioms: 


/vi.  1-  o f(t\,  =  /(oti,  ...,Ofn) 

for  any  function  /  and  terms  t\,  ...,<„ 

N2.  h  Op(<i,  p(Ott,  ...,  Ofn) 

for  any  predicate  p  and  terms  $1,  .  ■ .  ,t„ 

/V3.  h  0(<t  =  <2)  =  (O  1,  =  O  t2) 


Axiom  N 3  is  a  special  case  of  N2  where  p  is  the  equality  predicate. 

These  axioms  arc  consistent  with  the  evaluation  rules  that  wc  gave  which  stated  that  to 
evaluate  an  expression  O  £  (<1 ,  ...  tn),  we  can  evaluate  f(0  ti,  ...  O  tn)  regardless  of  whether  t 
is  a  term  or  a  logical  expression. 

Recall  that  we  split  the  set  of  our  symbols  into  two  subsets:  global  and  local  symbols.  The 
logical  consequence  of  this  convention  is  the  following  frame  axiom: 


FA.  Frame  Axiom 

h  x  =  O  x  for  every  global  variable  x 


Wc  can  therefore  prove  by  induction  on  the  structure  of  the  term  t  and  the  formula  u;  the 
following  frame  theorems'. 
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7’36.  For  a  term  t  and  formula  w 

(а)  I-  t  =  Ot  provided  t  docs  not  contain  local  symbols 

(б)  t-  w  =  Dm  provided  w  docs  not  contain  local  symbols 

(c)  h  w(Oy,,  ■  ■  ■  ,Oyn)  ^  Ow(s/, . yn) 

provided  . . .  are  all  the  local  variables  in  w. 


A  derived  frame  rule  that  we  will  be  using  is 


Frame  Rule  Fit 


H  t«i  3  Oiiij 


h  (uiAiiii)  3  O(wAfflj) 
provided  w  does  not  contain  local  symbols. 


proof: 


1. 

b 

w  3  □  w 

by  T36 

2. 

b 

v>i  3  Owj 

given 

3. 

b 

(w  A  w\)  3  (□  to  A  O  v>i) 

by  I,  2,  and  PR 

4. 

b 

(□mAOm2)  3  Ofw  A  wj) 

by  710 

5. 

b 

(w  A  »i)  3  0(w  A  aij) 

by  3,  4,  and  PR 

7.  DOMAIN  PART 


The  next  part  of  the  system  contains  domain  axioms  that  specify  the  necessary  properties 
of  the  domain  of  interest.  Thus,  to  reason  about  programs  manipulating  natural  numbers,  we 
need  the  set  of  Pcano  Axioms,  and  to  reason  about  trees  we  need  a  set  of  axioms  giving  the  basic 
properties  of  trees  and  the  basic  operations  defined  on  them. 

An  essential  axiom  schema  for  many  domains  is  the  induction  axiom  schema.  This  (and  all 
other  schemas)  should  be  formulated  to  admit  modal  instances  as  subformulas.  Thus  the  induction 
principle  for  natural  numbers  can  be  staled  as  follows: 


Induction  Axiom 

h  \R( 0)  A  Vn(R(n)  3  Ii{n  +1)))  3  R(k) 
for  any  statement  R. 


One  instance  of  this  principle,  which  will  be  used  later,  is  obtained  by  taking  /?(»)  to  be 
□(<?(n)  3  01>)-. 
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Induction  Theorem 


h  {□(<?(<))  3  0  vo 

A  Vn[D(Q(n)  DO  ip)  D  □(Q(n  +  1)  D  O  V>)]} 
D  D(Q(k)  D  O  i>). 


Similar  induction  theorems  exist  for  other  domains  and  depend  on  well-founded  orderings  existing 
in  those  domains. 

Using  this  induction  theorem  we  can  derive  the  following  useful  induction  rule: 


Induction  Rule  -  IND 

1-  Q(0)  DO  ip 

h  Q(n  +  1)  D  (O  r/>  V  O  Q(n)) 
h  Q(k)  D  Oip 


IND  is  useful  for  proving  convergence  of  a  loop:  Show  that  Q(0)  guarantees  Oip  and  that  for 
each  n,  either  Q(n  +  1)  implies  Q(n)  across  the  loop  or  it  already  establishes  Oip  and  no  further 
execution  is  necessary.  Then  Q(k)  ensures  that  the  loop  is  executed  at  most  k  times  and  that  O ip 


is  established 

on 

the  last  iteration  or  earlier. 

proof. 

1. 

t- 

O 

n 

S' 

O’ 

given 

2. 

h 

□(Q(0)  D  Oip) 

by  □/ 

3. 

h 

Q(n  +1)  D  (Oip  V  OQ(n)) 

given 

4. 

h 

□(Q(n)  D  O^)  D  (0  Q(n)  D  Oip) 

by  T5,  T3  and  PR 

5. 

h 

[(OQ(ra)  D  Oip)  A  (Oip  V  0(j>(n))j  D  Oip 

by  PT 

6. 

h 

[Q(n+1)  A  d(Q{n)  D  O ip)\  D  Oip 

by  3,  4,  5  and  PR 

7. 

H 

□(Q(n)  D  O ip)  D  (Q(n  +  t)  D  Oip) 

by  PR 

8. 

1- 

□  □(<?(«)  0  O  ip)  D  □(<?(«  +  1)  D  Oip) 

by  □□ 

9. 

1- 

□(Q(n)  D  Oip)  D  □(Q(n+1)  D  O ip) 

by  T2  and  PR 

10. 

h 

■  Vn[D(Q(n)  D  Oip)  D  D(g(n  +  1)  D  Otf>)) 

by  V/ 

11.  h  □(flJ(A:)  D  Oip)  by  2,  10,  and  Induction  Theorem 

12.  I-  Q(k)  D  Oip 


by  C3  and  MP  | 


8.  PROGRAM  PART 


Our  proof  system  must  be  augmented  by  additional  axioms  that  reflect  the  structure  of  the 
program  under  consideration.  These  additional  axioms  constrain  the  state  sequences  to  be  exactly 
the  set  of  execution  sequences  of  the  program  under  study.  This  releases  us  from  the  need  to  express 
program  text  syntactically  in  the  system;  all  necessary  information  is  captured  by  constraints  on 
the  accessibility  relation  that  are  expressed  by  the  additional  axioms. 

For  simplicity,  we  assume  that  the  program  is  represented  by  a  directed  graph  whose  nodes 
arc  the  program  locations  or  labels  and  whose  edges  represent  transitions  between  the  labels.  A 
transition  is  an  instruction  of  the  general  form 


[y 


Here,  c(y)  is  a  condition  (possibly  the  trivial  condition  true)  under  which  the  transition  replacing 
V  by  f(y)  should  be  taken,  where  y  —  [y i,  ...  ,  y„)  is  the  vector  of  program  variables. 

We  assume  that  the  programs  are  sequential  and  deterministic ;  in  other  words,  all  the  condi¬ 
tions  ci,  ...,Cfc  on  transitions  departing  from  any  node  are  exhaustive,  i.e.,  V*=ici(y)  =  true, 
and  mutually  exclusive.  In  order  to  uniformly  satisfy  this  requirement  we  add  “true  -*•  [  ]”  self- 
transitions  to  all  the  exit  nodes. 

A  first  generic  axiom  states  that  in  every  state  s,  att  is  true  for  exactly  one  label  t.  Let  L 
denote  the  set  of  all  labels  in  the  program;  we  have 


Location  Axiom  -  LA 
h  Y2  att  =  1. 


We  use  here  the  abbreviation  ]T)pi  =  1  or  pi  +  •  •  •  +  pn  =  1  to  mean  that  exactly  one  of  the  p/s 
is  true;  p,  =  1  if  p,  is  true  and  pi  =  0  if  p<  is  false. 

The  role  of  the  other  axioms,  called  the  transition  axioms,  is  to  introduce  our  knowledge  about 
the  program  into  the  system.  Since  the  system  does  not  provide  direct  tools  for  speaking  about 
programs  (such  as  mentioning  program  text  in  lloare’s  formalism  or  Dynamic  Logic),  the  transition 
axioms  represent  the  program  by  characterizing  the  possible  state  transitions  under  the  execution 
of  the  program.  For  any  transition: 


we  generate  a  transition  axiom  Fa.  This  axiom  corresponds  to  a  “forward”  propagation  ( symbolic 
execution )  across  the  transition  a: 
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This  axiom  stales:  IT  at  any  state,  execution  is  at  (,  c(y)  holds,  and  the  current  values  of  y  are  u, 
then  at  the  next  state  we  will  be  at  t'  with  y  =  /(s). 

A  different  approach  that  suggests  an  alternative  axiom  schema  is  obtained  by  “backward” 
substitution  (derivation  of  the  weakest  precondition) 

Backward  transition  axiom 

na  :  I-  [at(  A  c(y)  A  /J(/(y))]  3  0[a«f'  A  P{y)\, 
where  P  is  any  state  predicate  (t.e.,  without  modalities). 

Here  P(f[y))  denotes  the  substitution  of  f(y)  for  all  free  occurrences  of  y  in  P{y)-  This  form  of  the 
axiom  expresses  the  effect  of  the  transition  on  an  arbitrary  “state”  predicate  P;  t.e.,  a  predicate 
P  that  does  not  contain  any  modal  operators.  It  says  that  if  att  A  c(y)  and  P(f(y))  hold,  then  we 
are  guaranteed  to  reach  P  with  P(jj)  on  the  next  step. 

The  predicate  P  may  not  contain  modalities.  As  a  counterexample,  consider  the  program 
segment 

' — "N  true  -*  \y  1]  - — v, — 

C  (  J - — - K  e'  true  \y :=  °1 


P(y)  :  □  (y  =  I). 

The  appropriate  instance  of  the  backward  axiom  for  a  is 

na  :  h  [a«  /  A  true  A  □(  1  =  1)]  3  0[atP  A  D(y  =  1)], 
which  clearly  does  not  cuneclly  leilect  tiie  compulation  of  liie  program. 

Pa  and  lta  are  equivalent  and  can  be  derived  from  each  other.  That  is 
for  every  transition  «: 

fia  holds  for  every  P  if  and  only  if  Fa  holds 

proof :  Ua  for  every  P  => 

I.  H  [at l  A  c.(y)  A  /’(/(!/))]  3  0[ot£'  A  P(y)) 
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by  H a,  given 


2.  I-  [atl  A  c(y)  A  /(y)  =  /(«)|  3  0[at£'  A  y  =  /(«)j 

taking  P(y)  to  be  y  =  /(u), 
where  u  arc  auxiliary  global  variables 


3. 

h 

[atl  A  c[y)  A  V  =  u]  3  [ at l  A  c(y)  A  f[y)  —  //l 

by  T35(6)  and  PP 

4. 

[ot£  A  c(y)  A  V  =  ti]  3  O[ol£'  A  J  =  /(«)] 

by  2,  3  and  PP 

which  is  the  desired  Fa.  | 

proof:  Fa 

Pa  for  every  P. 

Let  P  be 

an 

arbitrary  state  predicate  and  U  auxiliary  global  variables  not  in  P.  Then 

1. 

h 

[atl  A  c[y)  A  y  =  u)  3  0[atP  A  y  =  /(«)] 

PQ,  given 

2. 

h 

0[atl’  A  y  =  /(«)]  3  lOol?  A  0(y  =  /(«))) 

by  7T3 

3. 

h 

0(y  =  /(u))3  ((Oy)  =  /(Ou)) 

by  A/3  and  A/l 

4, 

1- 

u  =  Ou 

by  PA,  since  u  is  global 

5. 

t- 

f{u)  =  f(Ou) 

by  7’35(6) 

6. 

1- 

o (»  =  /(«))  3  ((Oy)  =  /(s)) 

by  3,  5,  E2,  and  PR 

7. 

1- 

|«^  A  c(|f)  A  y  =  tt)  3  [OatP  A  (Oy)  = /(tt)j 

by  1,  2,  6,  and  PR 

8. 

h 

[y  =  u  A  P(/(y))]  3  /’(/(«))  by  jB2  (no  modal  operators  in  P)  and  PP 

9. 

h 

(at^  A  c(y)  A  y  —  u  A  P(/(y))j 

3  A  (Oy)  =  /(«)  A  P(/(«))) 

by  7,  8,  and  PR 

10. 

H 

((O  y)  =  /(«))  3  (P(Oy)  =  P(/(®))) 

by  P2  and  PP 

11. 

h 

P(O  y)  =zO  P(y) 

by  T36(c) 

12. 

h 

[(Oy)  =  /(«)  A  P(f(u))\  3  O  P(y) 

by  10,  11,  and  PR 

13. 

h 

[a<£  A  c(y)  A  y  =  u  A  P(/(y))J  3  (Oal/1  A  OP(y)j 

by  9,  12,  and  PR 

14. 

h 

[atl  A  c(y)  A  y  =  y  A  P(/(y))]  3  [Oat/'  A  O  P(y)J 

by  INST 

15. 

1- 

[atl  A  c(y)  A  P(/(y))l  3  (Ool/'  A  OP(y)] 

by  FA  and  PR 

16. 

h 

{af /  A  c(y)  A  P(/(y))]  3  O [atl'  A  P(y)] 

by  TI3  and  PR 

which  is  the  desired  lfa.  | 


We  often  use  a  weaker  form  of  the  transition  axioms: 


b  [at/  A  c(]/)  A  y  =  «)  D 

0[afZ'  A  y  =  /(«) ) 

and 

K- 

1-  [ate  A  c[y)  A  P(f(V))  1  3 

0[af/'  A  P(y)l 

obtained  from  Fa  and  Ba,  respectively,  by  replacing  O  with  O.  The  weaker  forms  follow  by 
7'11,  i.e.  h  O  w  D  Ow. 

9.  THE  INVARIANCE  PRINCIPLE 


We  now  present  a  general  method  for  proving  invariance  properties  of  programs,  i.e.,  properties 
that  hold  continuously  throughout  the  execution.  Such  properties  are  expressible  by  formulas  of 
form 

t-  [at 4,  A  <£(2)1  D  OQ(y). 

That  is,  Q(y)  is  invariantly  true  for  every  computation  starting  at  to  with  input  x  satisfying  the 
precondition  <£(x). 

Let  t  be  any  label  in  the  program  under  consideration  and  let  its  outgoing  transitions  be  of 
the  form 


Recall  that  we  assume  that  ...,Ck{V)  arc  exhaustive,  i.e.  V<=i  c»(w)  =  *rue>  and 

mutually  exclusive.  We  denote  by  L  the  set  of  all  labels  in  /’.  We  have 


Invariance  Principle: 

Let  Q(y)  be  a  state  predicate  (with  no  modalities)  and  labels  describ¬ 
ing  a  properly  of  program  P  with  input  condition  <f>(x). 

If 

(a)  Q  is  true  initially,  re., 

h  [aff0  A  (f>{x)\  D  Q(y) 

(b)  Q  is  maintained  along  any  transition  a  in  P,  re., 

I-  [at  l  A  ca(y)  A  Q[y)]  D  Q[fa(y)), 

then  Q  is  invariantly  true,  re., 

I-  [atln  A  <t>[x)  1  3  UQ(y). 


Consider 

an  arbitrary  label  t.  and  an  arbitrary  transition  1  <  i  <  k, 

from  e  to 

1. 

[af£  A  c<(y)  A  <?(»)]  3  [ate  A  Ci(y)  A  Q(/i(y))] 

by  (b)  and  PR 

2. 

h 

[ate  A  A(y)  A  <?(/,(?))]  =>  0\aU,  A  Q(y )] 

by  Pa, 

3. 

\- 

\atl  A  Ci(y)  A  Q(y)\  3  Ojatfi  A  Q(y)\ 

by  1,  2  and  PR 

4. 

\- 

[aU  A  c.i(y)  A  Q{y)\  3  O  Q(y) 

by  7’13  and  PR 

5. 

V- 

\fi=l[ate  A  a(y)  A  Q(y)l  3  O Q[y) 

by  PR 

(taking  the  disjunction  over  all  transitions  from  f) 

6. 

h 

[ate  A  V,fe=i  fi(y)  a  Q(y)  1  3  OQ(y) 

by  PR 

7. 

h 

VLi<;i(v)  =  true 

assumption 

8. 

h 

[ate  A  Q{y) ]  3  OQ[y) 

by  PR 

9. 

h 

A  Q(y)\  3  0  Q(y) 

by  PR 

(taking  the  disjunction 

over  all  labels  of  P) 

to. 

H 

[(V<ez,at£)  A  Q{y) |  3  0  Q(y) 

by  PR 

11. 

1- 

VteL  —  true  by  Location  Axiom  and  PR 

12. 

1- 

<?(j?)  3  O  Q(y) 

by  10,  11  and  PR 

13.  h  Q(y)  3  □  Q(y) 


by  Cl 


M.  H  [a^o  A  4>{x)\  D  Q(y) 

15.  I-  [att o  A  <£(*)!  D  □  Q[y) 


by  (a) 

by  13,  H  and  PR 


10.  ICXAMPLIC:  INTKCliR  ICXPON1CNT1ATION  PROGRAM 


Consider  for  example  Ibe  following  program  Hi  over  the  integers,  which  raises  a  real  number 
X{  to  an  integer  x 2,  i.e.  X]Zj,  where  22  ^  0.  We  assume  that  0°  =  1. 

Program  IE  (Integer  Exponentiation): 


Let 


<t>  :  atf0  A  x2  >  0 
•0:  ate 2  A 

Wo  would  like  to  'ISO  our  proof  system  to  establish  the  total  correctness  of  nroffram  I  ti  with  resnort, 
to  0  and  ip\  we  will  show 

P  <t>  D  O0. 

In  the  proof  we  ignore  type  considerations  such  as  rcal(xl)  and  intcgcr(x->).  (See  (MURj,  [MW]). 


PROOF  1:  Using  Backward  Transition  Axioms 

The  backward  transition  axiom  schemata  corresponding  to  this  program  (taking  the  weaker 
form,  with  O  rather  than  O)  are: 

H'a  :  I-  (a<f0  A  P[x]fx2, 1))  O  0[a<£,  A  P(y\,y2,Vs)\ 
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D'p  :  h  [ate  1  A  y2  =  o  A  P{yi,y2,y-i)\  3  O[otf2  A  P(2/i,2/2,2/3)] 

•-  [atti  A  Vi  >  0  A  odd(y2)  A  P(y1(  2/2  -  l»  Vi  ‘  2/3)] 

3  OlatEi  A  /*(yi,J/2,J/3)] 

#4  :  I-  [att\  A  J/2  >  0  A  eren(y2)  A  P[yy2,  2/2  -r-  2,  2*3)] 

3  0[at^  A  />(j/i , y2, 2/:01* 

We  prove 

(а)  I-  <p  3  O  3k.Q(k,y) 

(б)  h  (3k.Q(k,y))  D  O  ip,  or  equivalently  h  Q[k,y)  D  O  ip, 

where 

Q[n,y)  :  atty  A  (0  <  ft  <  n)  A  yi  -2/iVJ  =  zi12. 

Here,  0  <  2/2  5-  n 's  used  to  establish  the  termination,  and  2/3  •  2/1 W2  —  iiX2  is  the  invariant  used 
to  establish  the  correctness. 

Clearly,  by  rule  O  C,  parts  (a)  and  (6)  imply  the  desired  result  h  <p  3  O  ip. 
proof  of  (a): 


1. 

h 

1  -XiXi  ~  Xy*2 

by  domain 

2. 

h- 

<p  3  [at  4  A  z2  >  0  A  1  •  X1IJ  =  Z113] 

by  Pli 

3. 

h- 

[at  £0  A  z2  >  0  A  1  •  xiX2  =  ziIJ] 

3  0[ate  1  A  y2  >  0  A  V3  -yiyi  =  zi12] 

where  P  is  y2  >  0 

by  irQ 

A  2/3  '  2/iV2  =  zi12 

4. 

h 

(2/2  >0)  3  (0  <  y2  <  2/2) 

by  domain 

5. 

h 

[af^i  A  2/2  >  0  A  2*3  -yiW2  = 

3  [at A  (0  <  2/2  <  2/2)  A  2/3  •  ViV2  =  *iIa] 

by  \  and  i’ll 

6. 

h 

[at^i  A  y2  ">  0  A  m  -y\V2  —  zi*2] 

3  3fc[af£i  A  (0  <  2/2  <  k)  A  2/3  -  l/iVa  =  Zix’) 

by  T24 

7. 

h 

<p  3  03k.Q(k,y) 

by  2,  3,  6  and  O  Q 

0/(6): 

We 

use  the  induction  rule  IND: 

(M  •-  Q(0,y)  3  O  ip 
[b2)  l-Q(n  +  l,y)  3  (O  ip  V  O  Q(n,J?)] 
h  Q(k,  y)  3  O  ip 


proof  of  (bi): 


8.  I-  [(0  <  y2  <  0)  A  1/3  •  2/iWa  =  *iIa]  3  {y-i  =  0  A  S)  =  xtIa) 

9.  I-  Q( 0,y)  D  [attx  A  y2  =  0  A  y3  =  x,*a] 


by  domain 

by  ph 


10.  h-  [atf i  A  y2  =  0  A  2/3  =  xiIa)  3  0[afA2  A  ya  =  xila] 

by  ll'p,  where  / 2  is  ya  =  X|Ia 

11.  h  Q(0,y)  3  O  xl>  by  9,  10  and  PR 


proof  of  (b2): 
case  1:  y2  =  0. 


12.  h  {y-i  =  0  A  2/3  -yiVa  =  ZiIa]  3  [j/2  =  0  A  Jla  =  Z|Iaj 


13.  H  [Q(n  +  1  ,  y)  A  y2  =  Oj  3  Jai A  y2  —  0  A  y3  =  xiIa] 


by  domain 


by  />/? 


14.  I-  [a^i  A  y-i  —  0  A  y>,  =  X\ IaJ  3  Q\atl-i  A  ya  =  ziIaj 

by  H'p,  where  P  is  y3  =  XiIa 


15.  h  [Q(n  +  I,!/)  A  J2  =0]  3  Oip 


by  13,  14  and  PH 


case  2:  y2  >  0  A  odd(y2). 


19-  h  [2/2  >  0  A  (0  <  3/2  <  «+  I)  A  y*  -y iVa  =  ziIa) 

3  [(0  <  V-i  -  \  <n)  A  (?/i  •  y-s)  ■  y[Va”'  =  x,IaJ 

17.  I-  {#(»  +  \,y)  A  2/2  >  0  A  odd[y2)\  15  [a<^i  A  >  0  A  odd(y2) 
A  (0  <  2/2  —  1  <  n)  A  (yi  •  ya)  •  yiWa~'  =  *iIa] 


by  domain 


by  PH 


18.  h  [oi/|  A  1/2  >  0  A  odd(y2)  A  (0  <  y2  -  1  <  n)  A  (j/i  •  y3)  •  ytSa~'  =  *1 Ia) 

3  0[a(Si  A  (0  <  y2  <  n)  A  y3  •  yi Va  =  xiIa] 

by  ll'7,  where  l*  is  (0  <  y2  <  n)  A  ya  •  y iWa  =  zila 

19.  I-  [f,?(n  +  l,y)  A  !/2  >  0  A  odd(y2)\  3  OQ(n,y) 

by  17,  18,  and  PH 


case  3:  y2  >  0  A  cven(y2)- 


20.  I-  [cven^)  A  (0  <  y2  <  n  +  I)  A  2/3  •  1/1 Va  =  xtXaj 
3  1(0  <02-1-2  <  n)  A  y:t  •  (yi2)Va_i'2  =  z,Ia] 
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by  domain 


by  PR 


2t.  (-  [Q(n  +  l,j/)  A  j/2  >  0  A  even(y2)\  D  [atly  A  Vt  >  0 

A  evcn(yi)  A  (0  <  i/2  4-  2  <  n)  A  2/3  •  (l/i 2)Va-f'2  =  ziXa] 


22.  1-  [af^i  A  1/2  >  0  A  even(y2)  A  (0  <  2/2  -5-  2  <  n)  A  2/3  *  (y»2)V3_H2  =  xi*2) 

O  0[at<i  A  (0  <  2/2  <  n)  A  2/3  ■  Diyt  =  Z|Xlj 

by  HJ,  where  P  is  (0  <  2/2  <  n)  A  (2/3  •  t/iW2  =  -ti12) 


23.  h  (Q(n  +  1,2/)  A  2/2  >  0  A  even(2/2)]  3  OQ(n,y) 


by  21,  22,  and  PR 


To  summarize,  we  showed 


15. 

h 

[<2(n  +1,27)  A 

2/2=0)  3  O 

case  1 

19. 

b 

(Q(n  +  1,17)  A 

2/2  >  0  A  odd(y 2)J  3  <>Q{n,V) 

case  2 

23. 

b 

\Q(n  +  1,27)  A 

2/2  >  0  A  even(2/2)l  3  O  Q(n,  y) 

case  3 

Then  since 

24. 

b 

Q(«+l,5)  ^ 

(l/2  =  0  V  (2/2  >  0  A  odd{y2))  V  (2/2 

>  0  A  even(2/2))l 

by  domain 

it  follows  that 

25. 

+ 

Q(n+l,J?)  3 

|Oy>  V  OQ(n,|?)) 

by  15,  19,  23,  24  and  PR 

This  concludes  the 

first  proof  of  the  total  correctness  of  our  example. 

1 

PROOF  2:  Using  Forward  Transition  Axioms 

For  comparison,  lei  us  now  prove  the  tolal  correctness  of  program  IS  using  the  forward 
transition  axioms.  The  proof  turns  out  to  be  longer  than  the  previous  one  using  the  backward 
axioms. 

The  forward  transition  axiom  schemas  corresponding  to  the  program  (taking  again  the  weaker 
form,  with  O  rather  than  O)  arc: 

F'a  :  h  at  l o  3  0[atti  A  y  =  (*i»*a,  l)j 

F'ff  :  +  (at*i  A  2/2  =  0  A  J7  =  b|  3  0[at*2  A  S  =  n| 

F'a  :  b  \att\  A  >  0  A  odd(y2)  A  V  =  b)  3  0(at*i  AJ  =  (uj.u,  -  l,u,  u3)) 

F'(  :  b  (at<!  A  2/2  >  0  A  even(ua)  A  V  —  Sj  3  0(o A  V  =  («ia,«2  4-  2,u3)j 
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Again,  let 


<p  :  atlo  A  x2  >  0 
ip  :  atts  A  V3  =  Xi*a. 

we  would  like  to  establish  the  total  correctness  of  the  program,  i.e., 
h  <P  3  O  ip. 


As  before,  we  prove 

(a)  I -03  O  3k.Q(k,y) 

(b)  F  (3 k.Q(k,y))  3  O  ip,  or  equivalently,  I ~  Q(k,y)  3  O  ip, 

where 

Q[n,y)  :  atl,  A  (0  <  1/2  <  n)  A  2/3  •  y iSa  =  xiIa. 


Farts  (o)  and  (b)  implies  the  desired  result  F  0  3  O  0  by  rule  O  C.  We  proceed  to  prove  (a) 
and  (6). 


proo/  of  (a): 

1.  I-  attQ  3  0[atf  1  A  V  =  (zi, *2. 1)1 

2.  F  [at f0  A  x2  >  0]  3  0[af£t  A  y  =  (xi,x2, 1)  A  x2  >  0] 

3.  F  x2  >  0  3  [1  -x,Ia  =  x,Ia  A  (0  <  x2  <  x2)] 

4.  I-  [y  =  (x i ,x2,  1)  A  1  •  xiIa  =  xisa  A  (0  <  x2  <  x2)] 

3  ll/3  -yiVa  =  xiIa  A  (0  <  y2  <  i/2)I 

5.  h  \atii  Ay  —  (x j ,  x2,  1)  A  x2  >  0) 

3  [at<!  A  3/3  '  2/1 Va  =  xjIa  A  (0  <  y2  <  y2)] 

6.  I-  [at f  1  A  2/3  •  2/iWa  =  XiIa  A  (0  <  y2  <  y2)j 

3  3fc[at/i  A  1/3  -yiVa  =  xilj  A  (0  <  y2  <  k )| 


t.e. 


by  F'a 
by  Fit 
by  domain 

by  E‘l  and  PR 

by  3,  4,  and  PR 

by  T24 


7.  F  [atfoAx2>0]  3  0  3fc[aff,  A  y3 -yiWa  =  x,Ia  A  (0  <  y2  <  fc)l 

by  2,  5,  6,  <0  Q  and  PR 


V.  F  0  3  0  3 k.Q(k,y). 


proof  of  (b)\  We  use  the  induction  rule  !ND\ 


4 
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(61)  t-  <2(0, 17)  3  0 rl) 

(62)  (-  <2(n+l,f)  3  [O^  V  OQ(n,y)| 

•-  Q(k,y)  3  Ol> 


In  our  proof  wc  use  the  special  consequence  rule 


Consequence  3  O  rule  -3  0  Q 

h 

io t  3  3u.io2 

h 

102  3  0 103 

b 

IO3  3  104 

1- 

10 1  3  O  104 

where  u  is  not  free  in  104. 

proof  of  rule: 


0) 

b 

10|  3 

3u.io2 

given 

(2) 

b 

102  3 

Ov>3 

given 

(2) 

h 

3u.io2 

CO 

9 

O 

3 

m 

n 

by  33 

(4) 

b 

3it.io2 

3  O  3it.to3 

by  7'29  and  I’ll 

(5) 

b 

103  3 

104 

given 

(6) 

b 

3m.io3 

3  W4 

by  31,  since  u  not  free  in  104 

(7) 

1- 

W[  3 

0  104 

by  (1),  (4),  (6),  and  OQ 

proof  of  (bt): 


8. 

b 

(0  <  Vi  <  0)  3  (y2  =  0) 

by  domain 

9. 

b 

<2(0,  y)  3  [off,  A  ?  =  J  A  3/2  =  0  A  1/3  •  2/iVa  =  x,Xa) 

by  IS  1  and  PR 

10. 

b 

Q(  0,f)  3  3tl.(at<i  AS  =  HAtts  =  OA  it3  •«iUa  =  *is,| 

by  7’24  and  PR 

It. 

b 

[atf,  A  u-2  =  0  A  P  ==  G]  3  Ojot l2  A  P  =  o| 

by  P^,  IS 2,  and  PR 

12.. 

b 

\atli  Aj=SAuj=0  Atij  =  xiXj] 

3  0[at/2  A  J  =  5  A  us  =  0  A  «3  •  wiUj  =  X|s»] 

by  PR 

13. 

b 

(u2  =  0  A  «3  •  «|*»  =  xiXj)  3  itj  =  Xi*» 

by  domain 

14. 

b 

(a<<2  A  «j  =  0  A  #j  •itt**  =  xt*1)  3  (at/2  A  113  = 

U*a]  by  PR 

15. 

b 

(at  <2  A  p  =  U  A  «2  =  0  A  1*3  •  ut**  =  Xi**) 

3  (at  t2  A  Vi  —  *1**1 

by  IS2  and  PR 
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by  E2  and  Pit 


16.  h  Q(0,y)  D  Oi> 


by  10,  12,  15  and  3  0  Q 


proof  of  (b2):  Wc  have  to  consider  three  cases:  y2  =  0,  y2  >  0  A  odd(y2),  and  y2  >  0  A  et»en(y2). 
Let  us  oidy  prove  the  last  case. 

Case  S:  y2  >  0  A  evcn(y 2). 

17.  h  [Q(n  +  1  ,y)  A  Vi  >  0  A  evcn(y2)]  3  [atl\  A  f  =  f 

A  J/2  >  0  A  even(y2)  A  (0  <  y2  <  »  +  1)  A  2/3  *  2/i 5/2  =  *i12) 

by  £1  and  72/? 

18.  I-  [Q(n  +  1), y)  A  1/2  >  0  A  even(y2))  3  3a.[al£i  A  y  =  « 

A  U2  >  0  A  even( ti2)  A  (0  <  u2  <  »  +  1)  A  u3  •  uiU2  =  X]l2| 

by  7*24  and  /2/7 

19.  h  (alfi  A1?  =  mA«2>0A  et>en(a2)] 

3  0[at/|  A  y  =  (ii|2,  ti2  -5-  2,  u3)]  by  F's ,  7?2,  and  P77 

20.  h  [al7|  Ay  =  uAu2>0A  even(u2) 

A  (0  <  u2  <  n  +  1)  A  «3  •  uiUx  =  X|12] 
3  0[at  ^1  A  y  =  (ui2,  112  -4-  2,  u3)  A  even(u2) 

A  (0  <  112  <  n  +  1)  A  w3  •  wi“2  =  x,12] 

by  F77 

21.  h  [evcn(«2)  A  (0  <  u2  <  n  +  1)  A  u3  •  «i“2  ==  X|*2] 

3  [{0  <  u2  2  <  ra)  A  «s  •(u,2)'*2-2  =  Xi*2]  by  domain 

22.  h  (al/!  A  y  =  (ill2,  «2  -5-  2,  «3)  A  even(u2)  A  (0  <  u2  <  n  +  1) 

A  u3  ■  tii“2  =  X112]  3  [atli  A  (0  <  y2  <  n)  A  y3  •  yiV2  =  X!12] 

by  E2  and  Fit 

23.  h  |Q(n  +  1 ,  y)  A  1/2  >  0  A  even(y2)j  3  OQ(n,y) 

by  18,  20,  22,  and  3  0  Q 


To  summarize,  wc  can  show 

(- 

[Q(n  +  i,y)  a 

V  i  =  01  3  O  ip 

case  1 

h 

[Q{n  +  1 ,  y)  A 

Vi  >  0  A  odd(y2)]  3  OQ(n,y) 

case  2 

1- 

(<?(n+  l,y)  A 

y2  >  0  A  even(y2) |  3  OQ(n,y) 

case  3 

Thcn  since 

h 

Q(n+l,y)  3 

(y2  =  0  v  (y2  >  0  A  odd(y2))  A  (yj  >  0  A  et>cn(y2))] 

by  domain 

it  follows  that 

1- 

Q(n  +  1 1  y) 

(OV»  V  O  Q(n,  y)j 

by  l>R 

This  concludes  the  alternative  proof  of  the  total  correctness  of  our  example. 
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